Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Matthew Righetti says companies that leak consumer data should be forced to pay. But the San Francisco plaintiffs lawyer can’t say how much. Or, for that matter, whether any court would agree with him. In fact, no one is sure. While electronic privacy breaches have caught the attention of big media — the Wall Street Journal wrote Monday that they’re generating large class actions — the major class action firms have shied away from. Since the cases rest on untested laws — and often involve victims with no monetary losses — the big plaintiffs firms are letting smaller outfits like Righetti’s take the first steps in a litigation area with equally great risks. Eager to find new practice areas without competition from the big firms that dominate consumer and securities class actions, the small plaintiffs shops have been happy to oblige. Basing their complaints on disclosure notices that companies, under California law, send to customers whose financial data has been leaked, a bevy of small firms has aggressively pursued the suits. While the plaintiffs lawyers say the notices fairly reek of liability, the outlook is so uncertain that small plaintiffs shops feel forced to share the risk of privacy suits with other firms. Collaboration “is a way of the plaintiff bar being cautious,” said Righetti, a partner at Righetti & Wynne who has three active privacy class actions in federal court, and is investigating a handful of others. “They take a lot of time and a lot of money and are very risky, so you find more collaborative work.” San Rafael, Calif–based attorney Ira Rothken — who was part of a privacy case that generated $1.8 million in attorney fees in 2001 — said smaller firms can explore areas of the law that don’t have well-trod roads to riches. “Big firms, from an economic perspective, have to go where the big money is,” he said. “Smaller firms — at least my firm — have more flexibility.” Between 2001 — when Rothken and several other lawyers settled a suit with the Internet company Doubleclick for $1.8 million in attorney fees and injunctive relief — and last year, few privacy suits were filed. That’s changed recently, largely because of a California law that since 2003 has required companies to publicize security breaches. And that law has created a veritable complaint mill since February, when companies began notifying customers nationwide when such a breach happens. The California law “became the de facto national standard,” said William Reece Hirsch, a partner at Sonnenschein Nath & Rosenthal who advises companies on security issues. “It’s a public-relations disaster to send out the notices in California but not to other customers.” ChoicePoint found that out in February, when identity thieves accessed information on 145,000 people from the consumer data provider. After taking heat for only notifying California customers, ChoicePoint eventually sent notices out nationwide. Four class actions followed. Those cases are consolidated in the U.S. District Court for the Central District of California. They involve at least a dozen small plaintiff firms, including Righetti & Wynne and several other local ones. Hirsch said the ChoicePoint cases are being closely watched by defense lawyers — in fact, he wrote an article about them last month for a Washington, D.C., privacy law publication. He said he expected the cases to give a good sense of how the federal courts will view the privacy litigation. Most important, he said, is the question of whether a federal credit-reporting law allows people whose information has been leaked — but who haven’t suffered identity theft — to collect damages. Also at issue in the federal cases is the fact that federal law only covers “consumer reporting agencies.” Defendants often challenge the definition of that term, making it hard to know which companies face liability. In a federal case filed in April against LexisNexis over a privacy breach, Righetti bolsters his federal claims with charges that the company also violated state credit reporting law. But the state laws are equally untested. That could change with a suit Rothken filed earlier this month in San Francisco Superior Court. In his case against CardSystems (read the complaint in PDF format), Rothken argues that the company’s lax security measures allowed a hacker last month to expose 40 million consumers’ credit data. Rothken makes his arguments under California’s unfair competition and customer records statutes. The lack of clarity on which state laws are most applicable grows partially from how privacy legislation came about. The various state privacy laws “got added piece by piece,” said Joanne McNabb, chief of the California Office of Privacy Protection. For this reason, plaintiff lawyers say, the courts will determine the most appropriate statute. Ultimately, the fate of the suits, state or federal, will rest on how the courts define harm, said Victor Schachter, a partner at Fenwick & West who helps companies formulate privacy policies. “It’s still a story of, ‘Where are the damages?’” he said. Schachter and Hirsch agreed that no one knows whether harm has to come in the form of money, or if it can be something more nebulous, like emotional insecurity after a breach or time spent restoring a credit rating. Plaintiffs lawyer Rothken said he doesn’t expect privacy suits to turn into the next asbestos. “It’s very hard, from an economic incentive kind of way, to bring these lawsuits,” he said. But Righetti points out that there are some cases with cause for great optimism. He is co-lead counsel in a class action against credit reporting agency TransUnion in Illinois federal court. That case is seen as less risky than others, since the Federal Trade Commission found that TransUnion didn’t adequately protect consumer information. Accordingly, about 25 firms have become involved with the suit, including Milberg Weiss Bershad & Schulman, one of the country’s biggest plaintiff firms. And in what is perhaps the best sign for the plaintiffs bar, tech companies and big defense firms have been beefing up their privacy departments, indicating a growing concern that privacy litigation could create expensive liabilities. “There’s definitely a groundswell among lawyers and consultants on privacy,” said McNabb. And, Hirsch added, each time he has to advise a company on a privacy breach disclosure, liability is a prime concern. Todd Schneider, a partner at the plaintiffs firm Schneider & Wallace who is involved in the ChoicePoint litigation, said that will continue to be the case, as class action lawyers learn how best to sue over privacy breaches. “Each new case we do, we share information,” he said. “We share intelligence. A bar is growing.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.